Splunk Search

Don't get eval based macros

andersmholmgren
Explorer

I just can't seem to understand how the eval based macros are supposed to work

I wrote a very simple macro

[TEST]
definition = "TEST"
iseval = 1

then a query to test the output

index=_audit | head 1 | eval test1=`TEST`  | eval test2=tostring(`TEST`) | table test*

The output is one column 'test2' with a value of Null

Why is that? Shouldn't the value be "TEST" for both columns? If not why not?

Tags (3)
0 Karma
1 Solution

genthaler
Engager

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

An eval-based macro returns a string, which is substituted into the query. Your macro returns the string TEST, without quotes, so you are getting:

... | eval test1=TEST  | eval test2=tostring(TEST) | ...

In this case, TEST is used as the name of a non-existent variable. You can get what you intended either with @genthaler's answer, or by putting the quotes in the query:

... | eval test1="`TEST`"  | eval test2=tostring("`TEST`") | ...

genthaler
Engager

Hi @gkanapathy,
I just tried it, unfortunately quoted macro invocations don't get invoked.
So instead of "TEST", you end up with the literal string "`TEST`".

0 Karma

genthaler
Engager

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...